Communication between computers, IEDs and other forms of internet of things (IoT) devices, etc. has become an important aspect of everyday life in private, industrial, and business environments. Data networks provide a medium for such communication and further for communication between various types of devices connected to the network such as servers, personal computers, workstations, IEDs, IoT devices, memory storage systems, or any other component capable of receiving or transmitting data to or from the network. The devices may communicate with each other using defined protocols that define the orderly transmission and receipt of information. In general, the elements view the network as a cloud to which they are attached and for the most part do not need to know the details of the network architecture such as how the network operates or how it is implemented. Ideally, any network architecture should support a wide range of applications and allow a wide range of underlying technologies. The network architecture should also work well for very large networks, be efficient for small networks, and adapt to changing network conditions.
Data networks can generally be differentiated based on their size. At the lower end, a local area network (LAN) describes a network having characteristics including multiple systems attached to a shared medium, high total bandwidth, low delay, low error rates, broadcast capability, limited geography, and a limited number of stations, and are generally not subject to post, telegraph, and telephone regulation. At the upper end, an enterprise network describes connections of wide area networks and LANs connecting diverse business units within a geographically diverse business organization.
To facilitate communication within larger networks, the networks are typically partitioned into subnetworks, each sharing some common characteristic such as geographical location or functional purpose, for example. The partitioning serves at least two purposes: (1) to break the whole network down into manageable parts; and (2) to logically (or physically) group users of the network. Network addressing schemes may take such partitioning into account and thus an address may contain information about how the network is partitioned and where the address fits into the network hierarchy.
There remains a need for a critical infrastructure security framework to ensure communication in-between elements are kept secure, confidentiality is maintained and access to critical assets (e.g. protection and control equipment such as, for example IEDs, PLCs, etc.) remains protected. Security in enterprise applications is mostly supported through appliances referred to as firewalls, whose main functions include filtering network traffic and applying configurable network security rules referred to as “firewall rules”. The firewalled devices may be placed at a central location where traffic needs to be controlled, examined or reviewed, typically where a connection to the Internet exists, and apply security measures on a flow based approach referred to as the statefull firewall method. For industrial and critical infrastructure applications, the nature of the networks and security requirements are different then in the enterprise world which leads to the need for a new security frameworks.
Intrusion detection systems (IDS) may also be required to detect forms of security breaches or possible breaches by detecting anomalies in operation of the network, devices, etc. Although there are multiple solutions for IDS in the enterprise world, there remains a need to have specialized industrial IDS that provides the necessary functionality and security required by critical infrastructure protocols to avoid various cyber security threats, including but not limited to, cyber-attack patterns, and other threats.